I recall many years ago, when I was in the consulting game, data classification implied data ownership. As a consultant, I would go to a group that used the enterprise resource planning (ERP) system - the finance department, for example - and point out that they owned it, so they should classify the data on it. They immediately pointed out that the ERP system also was used by HR and production for inventory. There was no way they were going to take even partial ownership. They - and the other departments - consequently sent me to IT. No joy there, either. IT took the position that they were only the custodians of the applications, not the data.
We went around and around this way until I managed to pare down the data that needed ownership, defined it narrowly and coerced - through the audit department - the various groups to take ownership of their individual bits of data. I subsequently found out that within six months of completing the project, data classification had, essentially, dropped off to nothing and nobody was classifying anything or putting existing classification labels on data, emails, reports, etc.
The scenario describes many of the data classification projects about which I've heard over the years - I certainly did not make that type of project my stock-in-trade going forward. But now we are faced with a new and very similar challenge. With the advent of data leakage prevention (DLP), we need an effective way to know what data we want to prevent from leaking. Back to data classification and labeling. Back to finger-pointing and refusal to accept ownership. But this month's emerging products have the way around it - and it is both ingenious and effective.
The solution? Move classification and ownership to individual pieces of data and make the creator the owner/classifier. This, really, is not a new concept. We have applied it to discretionary access control (DAC) where the owner of an object is its creator - and that is the person who decides who may access it. We just need tools to perform the mechanics and that is exactly what we have this month. Granted, there are subtle differences in approach, but essentially, this is DAC for data classification.
The five products we examine this month are exceptionally creative in their individual approaches. They are highly automated, virtually transparent to users and easily maintainable even in large enterprises. They exhibit controllable - and scalable - levels of granularity and they are, in my view, necessary adjuncts to data leakage prevention.
Basically, the way this class of products works is that the user creates an item of data, be it an email or a document of some kind. Using guidelines set out by the organization - and sometimes supported directly by the tool - the creator attaches a classification to the data item. In some cases, the tool checks the data item to see if it actually meets the standards for the applied level of classification, and then creates persistent metadata that travels with the data item until the owner, or someone of higher authority, changes the classification.
This metadata is readable by the program creating the data item so it appears on the item as an obvious classification label. It also is readable by DLP systems so that the DLP tool can be told how to respond to the various classifications. The process is simplicity itself and the user is forced - though that is a bit strident, perhaps "required" might be better - to classify the data item before distrusting it. The process, though, is so simple and so transparent that it poses no hardship, and data item owners rarely complain.
Once the item is classified, some of the products under review enforce the rules of the classification. If the rule for a confidential document precludes sending to an international address, the tool will enforce that, even if the owner decides to send it or a recipient decides to forward it. Simplicity, scalability and effectiveness all are the hallmarks of this month's emerging products.